Coming from the perspective of directly working on the critical infrastructure I can say he's both right and wrong. There is certainly plenty to worry about. The critical infrastructure is being attacked everyday (mostly by nation states). However, the political solutions really do nothing to resolve the issue. It's mostly like he said about making money for the vendors selling "solutions", and government agencies. In our case, we are required (by federal regulations) to share data with other utilities necessitating a connection from our internal control systems to the outside world. The government has made all of these rules that we must comply with. Many of them make sense like patching the OS and third party software, having backups in place, malware prevention, monitoring equipment, etc. However, if we were to have something like stuxnet that was below the radar and sat there for years none of that would be much help, and that's really the most likely scenario. For now at least the government seems more interested in fining companies than they are ensuring their security. These fines cannot be recovered from rate payers, but how long before companies throw in the towel because they can't make a profit anymore? How long before shareholders dump their stock and move on to something more lucrative? When that happens who provides water, electricity, gas service, etc? It's pretty scary when you think about it.